The growth of networked computer systems has directly or indirectly resulted in the increased frequency and complexity of cyber-attacks to these systems. A cyber-attack may be an attempt by a person (e.g., a hacker) to effectuate a cyber-threat that, for example, damages or destroys a cyberspace operational environment. For example, a cyber-threat may be an event that has the potential to adversely affect a cyberspace operational environment, e.g., such as data loss. A cyber risk may be the potentially adverse outcomes related to the occurrence of a cyber-threat, e.g., such as a lawsuit resulting from damages to customers from loss of their personally identifiable information.
Several security controls exist to counter the cyber threats associated with cyber-attacks and thereby reduce the risks to organizational capabilities that rely on cyber-based Information Technology (IT) assets. However, such security controls may be expensive to implement. Thus, organizations typically do not implement all of the possible combinations of security controls available in the market, and instead look for a tradeoff in cost of security control implementation to risks mitigated.
Cyber liability insurance has evolved as the most prevalent mechanism to transfer the risk of cyber threats in a cyberspace operational environment to a third-party. In a typical cyber liability insurance transaction, an insurance provider may advertise a policy with rules and coverages at a specific premium. Organizations that want to defray the risks covered in that policy, based on the specific rules, and are willing to pay the premium, purchase the policy. The rules and coverages determine the contractual guidelines of the policy, and although they may derive from standard cyber threat models, each policy has its own specific set of rules and coverages. For example, a standard threat model may identify the transmission of personally identifiable information in unencrypted formats over an open network to be a significant threat. However, if that specific threat is not relevant to the contractual coverages and rules of a policy, then it may not be applicable to a cyber-risk assessment specific to the policy.